[jira] [Commented] (SOLR-10814) Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos authentication

Tue, 07 Jul 2020 09:40:22 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-10814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17152884#comment-17152884
 ] 

ASF subversion and git services commented on SOLR-10814:
--------------------------------------------------------

Commit d3f4b21deb0056098e9e888a6b9d72e0bf2d0834 in lucene-solr's branch 
refs/heads/master from Mike Drob
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=d3f4b21 ]

SOLR-10814 Add short-name feature to RuleBasedAuthz plugin

Additional-Author: Hrishikesh Gadre <hga...@cloudera.com>


> Solr RuleBasedAuthorization config doesn't work seamlessly with kerberos 
> authentication
> ---------------------------------------------------------------------------------------
>
>                 Key: SOLR-10814
>                 URL: https://issues.apache.org/jira/browse/SOLR-10814
>             Project: Solr
>          Issue Type: Bug
>    Affects Versions: 6.2
>            Reporter: Hrishikesh Gadre
>            Priority: Major
>         Attachments: SOLR-10814.patch
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Solr allows configuring roles to control user access to the system. This is 
> accomplished through rule-based permission definitions which are assigned to 
> users.
> The authorization framework in Solr passes the information about the request 
> (to be authorized) using an instance of AuthorizationContext class. Currently 
> the only way to extract authenticated user is via getUserPrincipal() method 
> which returns an instance of java.security.Principal class. The 
> RuleBasedAuthorizationPlugin implementation invokes getName() method on the 
> Principal instance to fetch the list of associated roles.
> https://github.com/apache/lucene-solr/blob/2271e73e763b17f971731f6f69d6ffe46c40b944/solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPlugin.java#L156
> In case of basic authentication mechanism, the principal is the userName. 
> Hence it works fine. But in case of kerberos authentication, the user 
> principal also contains the RELM information e.g. instead of foo, it would 
> return f...@example.com. This means if the user changes the authentication 
> mechanism, he would also need to change the user-role mapping in 
> authorization section to use f...@example.com instead of foo. This is not 
> good from usability perspective.   



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to